Use case of JavaScript in Cyber Security

4 min readSep 7, 2021

JavaScript

JavaScript is a very useful programming language. Netscape developers invented JavaScript in 1995, and it revolutionized the web. Before JavaScript, webpages could pretty much only contain text, images, and hyperlinks. JavaScript empowered web developers to make webpages interactive, dynamic rather than static. Think of picture menus that animated when your mouse cursor went over it, and applets that could give you your local weather forecast or tell you which web browser you’re using. And JavaScript can do many other things.

As time went on, JavaScript became increasingly powerful. And it’s still commonly used, nearly 26 years later. The advent of HTML5 and later versions of CSS has given web developers more options for using client-side scripting to make webpages dynamic.

Many well-known JavaScript vulnerabilities can affect both the server-side and client-side. Malicious hackers can utilize these vulnerabilities by traversing a number of open paths through your application. When utilizing JavaScript in your application, it is critical to evaluate all JavaScript Security threats seriously and implement an open source vulnerability scanner to find these threats.

Cyber Security and JavaScript

JavaScript itself is a fundamental technology for building web applications and is also very popular for building server-side, desktop, and even mobile applications. It’s widespread popularity, however, also makes it a prime target for hackers, looking to target it through various attack vectors. Because JavaScript is used mostly in the front-end, it makes sense to focus first on JavaScript security issues in browsers.

Software vendors have also recognized these JavaScript security issues, reacting with JavaScript security scanner software and a variety of JavaScript security testing tools that make applications more secure and greatly reduce JavaScript security risks.

JavaScript security is related to investigating, preventing, protecting, and resolving security issues in applications where JavaScript is used. Most common JavaScript vulnerabilities include Cross-Site Scripting (XSS), malicious code, Man-in-the-middle attack and exploiting vulnerabilities in the source code of web applications.

Most common JavaScript attacks vectors include: executing malicious script, stealing a user’s established session data or data from the browser’s localStorage, tricking users into performing unintended actions, exploiting vulnerabilities in the source code of web applications.

Let’s have a look on JavaScript Methods,

Cross-Site Scripting (XSS)

The majority of unintended script execution attacks involve Cross-Site Scripting (XSS). A particular concern related to JavaScript is the way it interacts with the Document Object Model (DOM) on a web page, allowing scripts to be embedded and executed on client computers across the web. And so, while several different types of XSS attacks exist, what they all have in common is that they cause untrusted script to appear and run in the user’s browser.

Attack script :-

<script>alert('You have been hacked !')</script>

Posting such a script would make every end user a victim unintentionally facilitating the attack by simply running the application, with the malicious code appearing to be part of the web page. While the above code is harmless, a real-life hacker could of course post far more dangerous code.

XSS attacks rely on supplying data that contains certain special characters that are used in the underlying HTML, JavaScript, or CSS of a web page. When the browser is rendering the web page and encounters these characters, it sees them as part of the code of the web page rather than a value to be displayed. This is what allows the attacker to break out of a text field and supply additional browser-side code that gets executed.

To prevent XSS attacks, developers should apply sanitization — a combination of escaping, filtering, and validating string data — when handling user input and output from the server.

Cross-Site Request Forgery (CSRF)

An XSRF or CSRF is a well-known attack in which the hacker attempts to impersonate or completely take over the identity of the victim by hijacking their active session cookie. This attack is possible when the target site attempts to authenticate a request by only using cookies, which will allow the hacker to gain access or hijack the functional cookies, to appear to be a legitimate user.

This attack can be very harmful to the victim and can lead to fraud, account tampering, or data theft. The most common targets are popular web applications such as social media, web interfaces, online banking, and in-browser email clients.

How can it be prevented?

Encrypt: Use HTTPS/SSL to encrypt data exchanged between the client and the server.
Set secure cookies: To ensure SSL/HTTPS is in use, set your cookies as “secure,” which limits the use of your application’s cookies to only secure web pages.
Set API access keys: Assign individual tokens for each end user. If these tokens don’t match up, access can be denied or revoked.
Use safe methods of DOM manipulation: Methods such as innerHTML are powerful and potentially dangerous, as they don’t limit or escape/encode the values that are passed to them. Using a method like innerText instead provides inherent escaping of potentially hazardous content. This is particularly useful in preventing DOM-based XSS attacks.

Thank you !!!